Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses
Summary
Users can redeem their PT/YT tokens before a price decrease of a supported LST/LRT token in order to avoid losses.
Vulnerability Detail
Napier allows users to redeem their PT/YT tokens for ETH via BaseLSTAdapter::prefundedRedeem() instantly if the amount to be withdrawn is lower or equal than the available ETH buffer. The in-scope adapters that allow this are:
Because the value drop is still not reflected in the Napier protocol the staker will be able to withdraw his funds without being affected by the losses.
In the case of eETH, a rebase token, an attacker can know if a balance drop will happen by monitoring the mempool for calls to rebase() in the EtherFi LiquidityPool contract.
In the case of uniEth an attacker can know if the token will lose value by monitoring the protocol validators for penalties and slashing events. Bedrock (uniEth) is built on top of Eigenlayer, which can be notified of balance drops due to penalties or slashings via two permissionless functions: EigenPod::verifyBalanceUpdates() and EigenPod::verifyAndProcessWithdrawals(). This allows an attacker to perform the following series of calls atomically to avoid losses:
Monitor the Bedrock validators on the beacon chain for penalties and slashings.
Deposit the previously withdrawn ETH for more YT/PT tokens than the initial amount.
Another instance that instantly lowers the value held by the UniEthAdapter adapter is the call to UniETHAdapter::swapUniETHForETH() because a 0.05% fee is paid to UniswapV3, this can also be front run by stakers to avoid bearing the losses of the fee.
Impact
Stakers can avoid losses, which implies honest stakers will lose more than they should.
Code Snippet
Tool used
Manual Review
Recommendation
Introduce a withdraw queue, this will prevent this kind of frontrunning attacks.
zzykxx
medium
Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses
Summary
Users can redeem their
PT
/YT
tokens before a price decrease of a supported LST/LRT token in order to avoid losses.Vulnerability Detail
Napier allows users to redeem their
PT
/YT
tokens forETH
via BaseLSTAdapter::prefundedRedeem() instantly if the amount to be withdrawn is lower or equal than the availableETH
buffer. The in-scope adapters that allow this are:A Napier user that staked in one of these adapters can:
eETH
oruniETH
tokens will lose value.PT
andYT
tokens via Tranche::redeemWithYT(), which will call BaseLSTAdapter::prefundedRedeem(), in exchange forETH
.Because the value drop is still not reflected in the Napier protocol the staker will be able to withdraw his funds without being affected by the losses.
In the case of
eETH
, a rebase token, an attacker can know if a balance drop will happen by monitoring the mempool for calls torebase()
in the EtherFi LiquidityPool contract.In the case of
uniEth
an attacker can know if the token will lose value by monitoring the protocol validators for penalties and slashing events. Bedrock (uniEth
) is built on top of Eigenlayer, which can be notified of balance drops due to penalties or slashings via two permissionless functions: EigenPod::verifyBalanceUpdates() and EigenPod::verifyAndProcessWithdrawals(). This allows an attacker to perform the following series of calls atomically to avoid losses:PT
/YT
in exchange ofETH
.uniETH
will instantly drop.ETH
for moreYT
/PT
tokens than the initial amount.Another instance that instantly lowers the value held by the
UniEthAdapter
adapter is the call to UniETHAdapter::swapUniETHForETH() because a0.05%
fee is paid to UniswapV3, this can also be front run by stakers to avoid bearing the losses of the fee.Impact
Stakers can avoid losses, which implies honest stakers will lose more than they should.
Code Snippet
Tool used
Manual Review
Recommendation
Introduce a withdraw queue, this will prevent this kind of frontrunning attacks.